feat(vpn): add tag-aware WireGuard AllowedIPs for VPN-gated routes

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '11.20.1',
+  version: '11.21.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -2105,6 +2105,39 @@ export class DcRouter {
         // Re-apply routes so tag-based ipAllowLists get updated
         this.routeConfigManager?.applyRoutes();
       },
+      getClientAllowedIPs: (clientTags: string[]) => {
+        const subnet = this.options.vpnConfig?.subnet || '10.8.0.0/24';
+        const ips = new Set<string>([subnet]);
+
+        // Determine the server's public-facing IP(s) that VPN-gated domains resolve to
+        const publicIPs: string[] = [];
+        if (this.options.proxyIps?.length) {
+          publicIPs.push(...this.options.proxyIps);
+        }
+        if (this.options.publicIp) {
+          publicIPs.push(this.options.publicIp);
+        } else if (this.detectedPublicIp) {
+          publicIPs.push(this.detectedPublicIp);
+        }
+        if (!publicIPs.length) return [...ips];
+
+        // Check routes for VPN-gated tag match
+        const routes = this.options.smartProxyConfig?.routes || [];
+        for (const route of routes) {
+          const dcRoute = route as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig;
+          if (!dcRoute.vpn?.required) continue;
+
+          const routeTags = dcRoute.vpn.allowedServerDefinedClientTags;
+          if (!routeTags?.length || clientTags.some(t => routeTags.includes(t))) {
+            for (const ip of publicIPs) {
+              ips.add(`${ip}/32`);
+            }
+            break; // All routes resolve to the same server IPs
+          }
+        }
+
+        return [...ips];
+      },
     });
 
     await this.vpnManager.start();

ts/vpn/classes.vpn-manager.ts

@@ -29,6 +29,10 @@ export interface IVpnManagerConfig {
     allowList?: string[];
     blockList?: string[];
   };
+  /** Compute per-client AllowedIPs based on the client's server-defined tags.
+   *  Called at config generation time (create/export). Returns CIDRs for WireGuard AllowedIPs.
+   *  When not set, defaults to [subnet]. */
+  getClientAllowedIPs?: (clientTags: string[]) => string[];
 }
 
 interface IPersistedServerKeys {
@@ -190,6 +194,15 @@ export class VpnManager {
       description: opts.description,
     });
 
+    // Override AllowedIPs with per-client values based on tag-matched routes
+    if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
+      const allowedIPs = this.config.getClientAllowedIPs(opts.serverDefinedClientTags || []);
+      bundle.wireguardConfig = bundle.wireguardConfig.replace(
+        /AllowedIPs\s*=\s*.+/,
+        `AllowedIPs = ${allowedIPs.join(', ')}`,
+      );
+    }
+
     // Persist client entry (including WG private key for export/QR)
     const persisted: IPersistedClient = {
       clientId: bundle.entry.clientId,
@@ -199,7 +212,8 @@ export class VpnManager {
       assignedIp: bundle.entry.assignedIp,
       noisePublicKey: bundle.entry.publicKey,
       wgPublicKey: bundle.entry.wgPublicKey || '',
-      wgPrivateKey: bundle.secrets?.wgPrivateKey,
+      wgPrivateKey: bundle.secrets?.wgPrivateKey
+        || bundle.wireguardConfig?.match(/PrivateKey\s*=\s*(.+)/)?.[1]?.trim(),
       createdAt: Date.now(),
       updatedAt: Date.now(),
       expiresAt: bundle.entry.expiresAt,
@@ -273,7 +287,8 @@ export class VpnManager {
     if (client) {
       client.noisePublicKey = bundle.entry.publicKey;
       client.wgPublicKey = bundle.entry.wgPublicKey || '';
-      client.wgPrivateKey = bundle.secrets?.wgPrivateKey;
+      client.wgPrivateKey = bundle.secrets?.wgPrivateKey
+        || bundle.wireguardConfig?.match(/PrivateKey\s*=\s*(.+)/)?.[1]?.trim();
       client.updatedAt = Date.now();
       await this.persistClient(client);
     }
@@ -282,21 +297,32 @@ export class VpnManager {
   }
 
   /**
-   * Export a client config. Injects the stored WG private key for complete configs.
+   * Export a client config. Injects stored WG private key and per-client AllowedIPs.
    */
   public async exportClientConfig(clientId: string, format: 'smartvpn' | 'wireguard'): Promise<string> {
     if (!this.vpnServer) throw new Error('VPN server not running');
     let config = await this.vpnServer.exportClientConfig(clientId, format);
 
-    // Inject stored WG private key so exports produce valid, scannable configs
     if (format === 'wireguard') {
       const persisted = this.clients.get(clientId);
+
+      // Inject stored WG private key so exports produce valid, scannable configs
       if (persisted?.wgPrivateKey) {
         config = config.replace(
           '[Interface]\n',
           `[Interface]\nPrivateKey = ${persisted.wgPrivateKey}\n`,
         );
       }
+
+      // Override AllowedIPs with per-client values based on tag-matched routes
+      if (this.config.getClientAllowedIPs) {
+        const clientTags = persisted?.serverDefinedClientTags || [];
+        const allowedIPs = this.config.getClientAllowedIPs(clientTags);
+        config = config.replace(
+          /AllowedIPs\s*=\s*.+/,
+          `AllowedIPs = ${allowedIPs.join(', ')}`,
+        );
+      }
     }
 
     return config;